Three units of HSBC Group have been fined GBP 3.185 million (USD $5.2 million) by Britain’s financial regulator for failing to protect consumer data from loss or theft.
The Financial Services Authority (FSA) said all three firms had been warned by HSBC Group Insurance’s compliance team about the need for robust data security controls in July 2007.
But in February 2008 an unencrypted CD containing the details of 180,000 policy holders was lost in the post.
The FSA said HSBC Life UK Ltd was fined GBP 1.61 million, HSBC Actuaries and Consultants Ltd was fined GBP 875,000 and HSBC Insurance Brokers Ltd was fined GBP 700,000.
HSBC said that no clients had reported losses as a result of these failures.
It said it found that large amounts of unencrypted customer data had been sent by post or courier to third parties.
Confidential information about customers was left on open shelves or in unlocked cabinets, and staff were not given sufficient training on identifying and managing risks like identity theft, the regulator said.
Margaret Cole, the agency’s director of enforcement, said all three firms failed their customers by being careless with personal details which could have ended up in the hands of criminals.
"It is also worrying that increasing awareness around the importance of keeping personal information safe and the dangers of fraud did not prompt the firms to do more to protect their customers’ details," she said.
The largest previous fine for data protection failures was the GBP 1.26 million pounds assessed against Norwich Union.
HSBC said it had contacted customers who were potentially affected, and said 33,500 employees had received data protection training.
"We hold ourselves to the highest standards, but it is clear that in these instances we have fallen short, which we sincerely regret," said Clive Bannister, group managing director of HSBC Insurance.